Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label EDR. Show all posts

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.

KnowBe4 Avoids Data Breach After Hiring North Korean Hacker


 

American cybersecurity firm KnowBe4 recently discovered that a new hire, brought on as a Principal Software Engineer, was actually a North Korean state actor. This individual attempted to install data-stealing malware on the company's devices, but the threat was identified and neutralised before any data breach occurred.

This incident is the testament to the persistent threat from North Korean operatives posing as IT professionals, a danger that the FBI has been warning about since 2023. North Korea has a well-organised network of IT workers who disguise their true identities to secure employment with American companies. The revenue generated by these infiltrators funds the country's weapons programs, cyber operations, and intelligence gathering.

How the Hacker Bypassed Checks

Before hiring the malicious actor, KnowBe4 conducted extensive background checks, verified references, and held four video interviews. Despite these precautions, the individual used a stolen U.S. identity and AI tools to create a fake profile picture that matched during the video calls. This deception enabled the hacker to bypass the initial vetting process.

On July 15, 2024, KnowBe4's Endpoint Detection and Response (EDR) system flagged an attempt to load malware from the Mac workstation recently issued to the new hire. The malware, designed to steal information stored in web browsers, was intended to capture any leftover credentials or data from the computer's previous user.

When confronted by KnowBe4's IT staff, the state actor initially offered excuses but soon ceased all communication.

Deceptive Hiring Practices

KnowBe4 CEO Stu Sjouwerman explained that the scheme involved tricking the company into sending the workstation to an "IT mule laptop farm" near the address provided by the fraudster. The hacker then used a VPN to connect to the device during U.S. working hours, making it seem like they were working as usual.

To prevent similar incidents, KnowBe4 advises companies to use isolated sandboxes for new hires, keeping them away from critical network areas. Additionally, firms should ensure that new employees' external devices are not used remotely and treat any inconsistencies in shipping addresses as potential red flags.

This incident at KnowBe4 zeroes in on the intricate  methods employed by North Korean hackers to infiltrate American companies. By staying vigilant and implementing robust security measures, firms can protect themselves from such threats.


The Indispensable Role of the CISO in Navigating Cybersecurity Regulations

 

With evolving cyber threats and stringent regulatory requirements, CISOs are tasked with ensuring the confidentiality, integrity, and availability of an organization’s digital systems and data. This article examines the regulatory landscape surrounding cybersecurity and explores effective strategies for CISOs to navigate these requirements. CISOs must stay updated on regulations and implement robust security practices to protect their organizations from legal consequences. 

The SEC has introduced rules to standardize cybersecurity risk management, strategy, governance, and incident disclosures. These rules apply to public companies under the Securities Exchange Act of 1934 and include both domestic and foreign private issuers. Companies are required to promptly disclose material cybersecurity incidents, detailing the cause, scope, impact, and materiality. Public companies must quickly disclose cybersecurity incidents to investors, regulators, and the public to prevent further damage and allow stakeholders to take necessary actions. 

Detailed disclosures must explain the incident's root cause, the affected systems or data, and the impact, whether it resulted in a data breach, financial loss, operational disruption, or reputational harm. Organizations need to assess whether the incident is substantial enough to influence investors’ decisions. Failure to meet SEC disclosure requirements can lead to investigations and penalties. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCA) mandates that companies report significant cyber incidents to the Department of Homeland Security (DHS) within 24 hours of discovery. 

CISOs must ensure their teams can effectively identify, evaluate, validate, prioritize, and mitigate vulnerabilities and exposures, and that security breaches are promptly reported. Reducing the organization’s exposure to cybersecurity and compliance risks is essential to avoid legal implications from inadequate or misleading disclosures. Several strategies can strengthen an organization's security posture and compliance. Regular security tests and assessments proactively identify and address vulnerabilities, ensuring a strong defense against potential threats. Effective risk mitigation strategies and consistent governance practices enhance compliance and reduce legal risks. Employing a combination of skilled personnel, efficient processes, and advanced technologies bolsters an organization's security. Multi-layered technology solutions such as endpoint detection and response (EDR), continuous threat exposure management (CTEM), and security information and event management (SIEM) can be particularly effective. 

Consulting with legal experts specializing in cybersecurity regulations can guide compliance and risk mitigation efforts. Maintaining open and transparent communication with stakeholders, including investors, regulators, and the board, is critical. Clearly articulating cybersecurity efforts and challenges fosters trust and demonstrates a proactive approach to security. CISOs and their security teams lead the battle against cyber threats and must prepare their organizations for greater security transparency. The goal is to ensure effective risk management and incident response, not to evade requirements. 

By prioritizing risk management, governance, and technology adoption while maintaining regulatory compliance, CISOs can protect their organizations from legal consequences. Steadfast adherence to regulations, fostering transparency, and fortifying defenses with robust security tools and best practices are essential for navigating the complexities of cybersecurity compliance. By diligently upholding security standards and regulatory compliance, CISOs can steer their organizations toward a future where cybersecurity resilience and legal compliance go hand in hand, providing protection and peace of mind for all stakeholders.

The Rise of Weaponized Software: How Cyber Attackers Outsmart Traditional Defenses

 

As businesses navigate the digital landscape, the threat of ransomware looms larger than ever before. Each day brings new innovations in cybercriminal techniques, challenging traditional defense strategies and posing significant risks to organizations worldwide. Ransomware attacks have become increasingly pervasive, with 66% of companies falling victim in 2023 alone, and this number is expected to rise. In response, it has become imperative for businesses to reassess their security measures, particularly in the realm of identity security, to effectively combat attackers' evolving tactics.
 
Ransomware has evolved beyond merely infecting computers with sophisticated malicious software. Cybercriminals have now begun exploiting legitimate software used by organizations to conduct malicious activities and steal identities, all without creating custom malware. One prevalent method involves capitalizing on vulnerabilities in Open Source Software (OSS), seamlessly integrating malicious elements into OSS frameworks. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about this growing trend, citing examples like the Lockbit operation, where cyber attackers leverage legitimate, free software for nefarious purposes. Conventional endpoint security solutions often lack the necessary behavior analytics capabilities to detect subtle indicators of compromise. 

As a result, attackers can exploit tools already employed by organizations to acquire admin privileges more easily while evading detection. This underscores the need for organizations to stay abreast of evolving techniques and adapt their defense strategies accordingly. Throughout the ransomware attack lifecycle, cybercriminals employ a variety of tactics to advance their missions. 

From initial infection to data exfiltration, each stage presents unique challenges and opportunities for attackers. For example, attackers may exploit vulnerabilities, manipulate cookies, or employ phishing emails to gain initial access. Once inside a network, they utilize legitimate software for persistence, privilege escalation, lateral movement, encryption, and data exfiltration. 

One critical aspect of mitigating the risk posed by ransomware is embracing an identity-centric defense-in-depth approach. This approach places emphasis on important security controls such as endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR), email security, and patch management. By prioritizing least privilege and behavior analytics, organizations can strengthen their defenses and mitigate the risk of falling victim to ransomware attacks. 

As ransomware attacks continue to evolve and proliferate, organizations must prioritize identity security and adopt a proactive approach to defense. By recognizing and addressing the tactics employed throughout the ransomware attack lifecycle, businesses can bolster their defenses, enhance identity security, and safeguard against the ever-evolving threat of ransomware.

Phishers Luring Users to Install Malware With Fake OnlyFans Content



An investigation has been conducted into a malicious campaign that targeted smartphone users. The OnlyFans content being distributed is a fake version of OnlyFans' content. This is used in this campaign to infect victims' devices with malware called DcRAT. This steals data and credentials on the device or encrypts it with a ransom note. Considering that the campaign has been running since January 2023, it is one of the highest risks to users' devices and personal information. 

The subscription service OnlyFans provides paid subscribers access to private photos, videos, and posts posted by celebrities, adult models, and social media personalities. This is done through a private area of their website. 

As one of the most popular websites out there with a well-known name, it can prove to be a magnet for those seeking free access to paid content as it caters to a broad audience. 

eSentire has discovered an upcoming campaign that was recently launched and has been running since January 2023. In other words, this program spreads ZIP files containing VBScript loaders. These loaders are tricked into being executed by the victim, believing that they are about to unlock premium collections of OnlyFans by manually executing the loader. 

There is a lack of information on the infection chain. However, suspects speculate it could be malicious forum posts, instant messages, spam, or even Black SEO sites that appear high on search engines for certain keywords. Eclypsium has shared nude pictures of actress Mia Khalifa who previously appeared in adult films.

There is a minimally modified and obfuscated version of the VBScript loader found in a 2021 campaign that Splunk discovered. There was a slight modification to the original Windows printing script to create this script.

It was the cybersecurity firm eSentire, a leading entity in the cybersecurity industry, that noticed this threat at the outset. During an investigation conducted by the company's Threat Response Unit (TRU), the company discovered the presence of DcRAT, a variant of the widely used AsyncRAT, in a customer's system, which is utilized for consumer services. With the ability to steal information and encrypt files, DcRAT is a powerful remote access tool that can be used to gain remote access. 

A central part of the campaign's methodology is to lure victims with explicit OnlyFans content. This is done by targeting specific users who engage with adult-oriented materials and targeting them with sexual content. A VBScript loader is downloaded in ZIP files and then manually executed by the victims after downloading the ZIP files. According to them, this will allow them to access premium content available only through OnlyFans. 

There's no way they know that this action triggers the installation of the DcRAT Trojan. This grants hackers full remote access to their devices without them knowing it. 

Several threats present themselves to compromised systems if they are infected with DcRAT. Using this program, one can monitor webcams, alter files, remotely access devices, and steal web browser credentials and Discord tokens. In addition, one can monitor their web browser's cookies. 

Further in the report, it was revealed that DcRAT is capable of logging keystrokes, monitoring webcams, manipulating files, and allowing remote access over the internet. In addition to stealing web browser credentials, it is also capable of stealing Discord tokens and cookies from a web browser. The dcRAT tool also enables a ransomware plugin to target all non-system files and append a ransomware file. DcRat file extensions are associated with encrypted files, implying encryption. 

In the meantime, researchers have observed an increase in malware written for the Android platform that attempts to pretend to be the popular AI chatbot ChatGPT application. Those who use smartphones are the ones who are targeted by this malware. 

Researchers from Palo Alto Networks Unit 42 reported that these malware variants emerged with OpenAI's GPT-3.5 and GPT-4 tools. This led to the infection of those interested in using ChatGPT. 

Additionally, the DcRAT malware also comes with a ransomware plugin that encrypts non-system files and makes them unusable without the decryption key, which is typically held for ransom by threat actors. 

Though the exact method of infection remains unclear, experts speculate that malicious forum posts, instant messages, and search engine optimization techniques may serve as potential vectors of attack. Malvertising and search engine optimization techniques stand out as other possible attack vectors. Considering this, it becomes necessary for users to exercise caution when browsing the internet, avoid unfamiliar links, and stay vigilant while interacting with suspicious individuals on the internet.  

Several proactive measures can be taken to mitigate the risks associated with this malware campaign recommended by eSentire's Threat Research Unit (TRU). The user is advised to go through Phishing and Security Awareness Training (PSAT), to become aware of the most common types of potentially malicious content and report it appropriately. 

In addition, it is recommended that script files, such as .vbs files, should be restricted from execution at all times. Also, it is recommended to configure systems so that script files can be opened with trusted applications such as Notepad so that they are not corrupted.  

It is also critically important to keep your antivirus signatures up-to-date and to use scanners that are capable of providing Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) protection in addition to your regular antivirus programs to protect against emerging threats. Users also have to ensure that their devices are regularly updated, as security patches are often included in updates.